Is decrypting secrets with ccrypt and piping the result via stdin to openvpn secure?
I've written the following alias to start an openvpn client more easily than before:
sudo bash -c 'cd OPVN_CONFIGS_DIR && ccrypt --cat _auth.conf.cpt | openvpn --config waw-001.ovpn --auth-user-pass /dev/stdin'
NB: OPVN_CONFIGS_DIR
is located in a synced folder (lets say Dropbox for simplicity)
NB: bash -c
rather than a simple expansion because this is sometimes run in fish shell
The options I had before:
- Use
auth-user-pass
to store my username + password in clear text. Looks to be the default option with openvpn but seems like a bad idea in general and even more so in my case since the secrets would be stored in a synced folder. - Enter my openvpn username and password every time which is a pain since the password is a very long random string. I cannot set a password myself, only reset it to another, just as long, random string. (and I'm not comfortable using a CLI password manager that stores passwords in the clipboard like passwordstore.org does)
My issue is that with the previous command openvpn complains about the following:
WARNING: file '/dev/stdin' is group or others accessible
My questions:
- What are the implications of this warning?
- what is the 'group' mentioned in the warning? The
sudo
group? - Is there a better way to manage secrets on the client side with openvpn?
Thank you